Printer identity and security

ABSTRACT

A system and method for establishing a secure identity for a printing device at the time of manufacturing is provided. The method includes obtaining a first private key for use with a first operation of the printing device and obtaining a second private key for use with a second operation of the printing device. The method also includes loading the first private key into a secure memory portion of the printing device during manufacturing of the printing device, and loading the second private key into the secure memory portion of the printing device during manufacturing of the printing device.

FIELD

This disclosure relates to a method and system for establishing a uniqueand secure identity for a printing device at the time of manufacturing.

BACKGROUND

As printing devices become increasing more reliant on interconnectivitywith customers, other printing devices, and servers, these printingdevices become more open for attack or reconfiguration by unauthorizedthird parties. Unauthorized access to the printing device can lead tounauthorized access and/or distribution of private customer data. Also,unauthorized reconfiguration of the printing device can cause damage tothe printing device.

SUMMARY

This application is directed to a method and system for establishing aunique and secure identity for a printing device at the time ofmanufacturing.

The printing device can be used, for example, to personalize plasticcards such as financial cards including credit and debit cards,identification cards, driver's licenses, and other personalized plasticcards. In some embodiments, the printing device is a card printer.

The embodiments described herein can generate a unique and secureidentity for any type of printing device and subcomponents of theprinting device. The types of printing devices and subcomponents of aprinting device (hereinafter referred to simply as the printing device)can include, for example, a central card issuance system, a desktop cardprinter, a desktop embosser, a passport system, a desktop laminator, asmart card reader, an input and/or output card hopper, etc.

Each unique and secure identity can include one or more unique privatekeys, each of which is associated with a different operation (forexample, authenticating a connection to a server or encrypting payloaddata) of the printing device. Each of the unique private keys can bestored in a secure memory portion of the printing device or be protectedby a storage root key stored in a secure memory portion of the printingdevice. Authorization of a particular operation of the printing devicecan be established using a Public Key Infrastructure (PKI) with theparticular private key that is associated with the particular operationto be performed by the printing device and the corresponding public key.

In some embodiments, the secure memory portion can store one or morepublic keys each of which is associated with a different operation (forexample, authenticating supplies, performing a secure boot operation) ofthe printing device. Each of the unique public keys can be stored in asecure memory portion of the printing device or be protected by astorage root key stored in a secure memory portion of the printingdevice. Authorization of a particular operation of the printing devicecan be established using a Public Key Infrastructure (PKI) with theparticular public key that is associated with the particular operationto be performed by the printing device and the corresponding privatekey.

The unique and secure identity can be generated at the time ofmanufacturing (e.g., at factory) to provide assurance to the user thatthe printing device is not configured with unauthorized firmware,hardware, and/or software. That is, the embodiments described herein canprevent the printing device from running if it is configured withunauthorized firmware, hardware and/or software. The embodimentsdescribed herein can also prevent network attacks that would allow anexternal device/software to monitor customer personalization data.

Establishing a unique printer identity at the time of manufactureprovides each printing device with a verifiable identity and makes itharder to compromise the identity once the machine is placed into thefield. It also creates a factory baseline for comparing authenticfirmware to malware and/or other unwanted code that may be added in thefield.

In some embodiments, a unique private key can be generated for each ofthe following operations: authentication of the printing device by acloud server/service; authentication of supplies for use by the printingdevice; authentication of the printing device by a printer client (e.g.,document design and/or issuance and/or management systems, etc.) usingprinter protocols; authenticate signed firmware for modification (e.g.,firmware upgrade and/or firmware downgrade); authenticate a printmanager; authenticate modular device security; authenticateconfiguration settings of the printing device; authenticate source ofprint jobs, configuration data, etc.; secure and/or measured boot of theprinting device; Secure Sockets Layer/Transport Layer Security (SSL/TLS)authentication; authenticate modular device security (a multi-hopper, atouch screen, etc.); provide dual authentication; authenticate privatekey storage; authenticate file system encryption (e.g., whole filessystem encryption, customer data only encryption, etc.); payloadencryption; etc.

In some embodiments, two or more of the unique private keys can beestablished during manufacturing of the printing device (e.g., “atfactory”).

Also, in some embodiments, one or more of the unique private keys canalso be established/loaded after manufacturing outside of the factory(e.g., by the customer, or by a Remote Monitoring and Management (RMM)server component (hereinafter referred to as a “customer identity”).Accordingly, a customer can supplement the at factory or manufactureridentity with their own customer identity.

In one embodiment, a method for establishing a unique and secureidentity of a printing device is provided. The method includes obtaininga first private key for use with a first operation (for example, TLS/SSLauthentication) of the printing device. The method also includesobtaining a second private key for use with a second operation (forexample, payload encryption) of the printing device. Also, the methodincludes loading the first private key into a secure memory portion ofthe printing device during manufacturing of the printing device.Further, the method includes loading the second private key into thesecure memory portion of the printing device during manufacturing of theprinting device.

In another embodiment, a printing device is provided. The printingdevice includes a printer functionality component, a networkinput/output, a processor and a secure memory portion. The printerfunctionality component performs a physical action on a customizedpersonalization document such as a financial card or ID. The networkinput/output transmits and receives data outside the printing device.The processor controls operation of the printer functionality component.The secure memory portion stores a unique and secure identity of theprinting device including at least one factory established keyassociated with a secure boot operation. In some embodiments, the uniqueand secure identity can include a plurality of factory established keys.Each of the plurality of factory established keys can be associated witha different operation of the printing device. In some embodiments, whenthe processor receives data that would require an operation to beperformed by the printing device and a public key to authorize theoperation, the processor can determine whether the operation isauthorized based on the public key and a factory established private keyassociated with the operation before the processor processes the dataand the printing device performs the operation. In some embodiments,when the processor receives data that would require an operation to beperformed by the printing device and a private key to authorize theoperation, the processor can determine whether the operation isauthorized based on the private key and a factory established public keyassociated with the operation before the processor processes the dataand the printing device performs the operation. In yet anotherembodiment, a method for performing an operation of a printing device isprovided. The method includes a processor of the printing devicereceiving, from an external secondary device, data and an authorizationrequest for validating authorization for the printing device to performthe operation. The method also includes retrieving a key correspondingto the operation amongst one or more keys stored in a secure memoryportion of the printing device. Also, the method includes the processordetermining whether the operation is authorized using the authorizationrequest and the retrieved key. Further, the method includes the printingdevice performing the operation when the operation is authorized, andincludes the printing device performing a physical action on acustomized personalization document.

In yet another embodiment, a printing device is provided. The printingdevice includes a housing, a card input in the housing, a card travelpath, a print engine and a secure memory portion. The card travel pathextends through the housing from the card input. The print engine isdisposed along the card travel path. The secure memory portion stores aunique and secure identity of the printing device including at least onefactory established key associated with an operation performed by theprinting device.

In yet another embodiment, a method of generating a unique and secureidentity of a printing device during manufacturing of the printingdevice is provided. The method includes reading a unique printing deviceserial number associated with a component of the printing device. Themethod also includes sending the unique printing device serial number toa certificate authority. Also, the method includes receiving from thecertification authority a certificate that is unique to the printingdevice containing the unique printing device serial number. Further, themethod includes loading the certificate to the printing device. In someembodiments, the unique printing device serial number can be placed inthe common name field of the certificate.

DRAWINGS

FIG. 1 illustrates a schematic diagram of an exemplary architecture fora printing device, according to one embodiment;

FIG. 2 illustrates a flowchart of a method for providing identity andsecurity to a printing device, according to one embodiment.

FIG. 3 illustrates a flowchart of a method for performing an operationof a printing device, according to one embodiment.

FIG. 4 illustrates a flowchart of a method for generating a unique andsecure identity of a printing device during manufacturing of theprinting device, according to one embodiment;

FIG. 5 illustrates one embodiment of a card printer that can be usedwith the embodiments described herein.

DETAILED DESCRIPTION

This application is directed to a method and system for establishing aunique and secure identity for a printing device at the time ofmanufacturing.

In particular, the embodiments described herein can generate a uniqueand secure identity for any type of printing device or subcomponent of aprinting device. Each unique and secure identity can include one or moreunique private keys, each of which is associated with a differentoperation of the printing device. Each of the unique private keys can bestored in a secure memory portion of the printing device.

Authorization of a particular operation of the printing device can beestablished using PKI with the particular private key associated withthe particular operation in conjunction with the corresponding publickey.

As described in the embodiments disclosed herein, a printing deviceincludes a secure memory portion that stores a unique and secureidentity defined at the time of manufacture and that can be verifiedremotely. In some embodiments, the customer can supplement the uniqueand secure identity with their own custom printer identity that isinstalled by the customer and stored in the secure memory portion. Thecustom printer identity can be used, for example, for TLS serverauthentication. In some embodiments, portions of the custom printeridentity can be usable alongside portions of the unique and secureprinter identity (e.g., for TLS client authentication). In someembodiments, portions of the custom printer identity can overrideportions of the unique and secure printer identity. Also, in someembodiments portions of the unique and secure printer identity that areoverridden by portions of a customer printer identity can remain storedin the secure memory portion.

In some embodiments, one or more private keys associated with acertificate can be stored in a secure memory portion of a printingdevice. This can include private keys corresponding to a unique andsecure printer identity, a customer printer identity, and or a payloadprotection certificate. Data (e.g., public key(s), private key(s),certificate(s), storage root key(s), attestation identity key(s), etc.)stored in a secure memory portion of a printing device can include dataentirely loaded/stored in the secure memory portion and data stored(including portions of data) stored outside of the secure memory portionthat is protected by a storage root key that is stored in the securememory portion.

The types of printing devices and subcomponents of a printing device(hereinafter referred to simply as the printing device) can include, forexample, a central card issuance system, a desktop card printer, adesktop embosser, a passport system, a desktop laminator, a smart cardreader, an input and/or output card hopper, etc. A unique and secureidentity of the printing device, as defined herein, refers to one ormore private keys stored within a secure memory portion of the printingdevice. The unique and secure identity of the printing device can alsoinclude one or more certificates, one or more public keys, and/or one ormore key pairs (e.g., a public key and a private key). The unique andsecure identity is generated at the time of manufacture and can beverified remotely. In some embodiments, a customer may be able tosupplement the unique and secure identity with their own custom printeridentity.

A private key, as defined herein, refers to a cryptographic key intendedto be known only to a recipient that can be used to, for example,decipher data encrypted with a public key associated with the privatekey.

A public key, as defined herein, refers to a cryptographic key that canbe obtained and used by anyone to, for example, encrypt data intendedfor a particular recipient that can only be deciphered by using theassociated private key.

A certificate, as defined herein, refers to a digital documentcontaining attributes associated to the printing device that is issuedby an attribute authority and is used to characterize and/or entitle theprinting device and/or a secondary device to operate or work with theprinting device. The certificate can bind an identity to a particularkey associated with the certificate. The certificate can include, forexample, an issuance date of the certificate before which a key can beinvalid, an expiration date of the certificate after which the key canbecome invalid, policy information including restrictions on the keyassociated with the certificate, a serial number of the printing device,a serial number for one or more unique subcomponents of the printingdevice (e.g., a serial number of a Trusted Platform Module (TPM), aserial number of a Field Programmable Gate Array (FPGA), etc.), aprivate key, a public key, etc.

A Certificate Authority (CA), as defined herein, can store, generate,issue, and sign one or more certificates, private keys, and/or publickeys. A manufacturer CA refers to a CA that provides one or morecertificates, private keys, and/or public keys to a printing device atfactory and/or during manufacturing of the printing device. A thirdparty CA includes a CA that a customer can use to provide one or morecertificates, private keys, and/or public keys to a printing deviceafter manufacturing of the printing device.

A secure memory portion, as defined herein, refers to an isolated memoryportion associated with the printing device that stores the unique andsecure identity of the printing device therein. The secure memoryportion can store, for example, a storage root key, an attestationidentity key, one or more certificates, one or more private keys, and/orone or more public keys.

An attestation identity key, as defined herein, refers to an identitykey that can be used to find and bind other identity keys stored in asecure memory portion to an endorsement key in order to complete a chainof trust between, for example, an endorsement key and each of aplurality of keys (including private keys) stored in the secure memoryportion and associated with an identity (e.g., the unique and secureidentity, one or more customer identities, etc.). The attestationidentity key can attest to the fact that a particular key exists in thesecure memory portion and can attest to measurements submitted to thesecure memory portion to allow the secure memory portion to sign off onthe measurements for later verification (e.g., during a measured bootdiscussed below).

A storage root key, as defined herein, refers to a key used to protectdata and/or other keys stored outside of a secure memory portion.

The term “cryptographic hash”, as defined herein, refers to amathematical algorithm that maps data of arbitrary size to a bit stringof a fixed size that is designed to be a one-way function (i.e., afunction that is infeasible to invert).

A hardware security module (HSM), as defined herein, refers to aphysical computing device that safeguards and manages digital keys forstoring authentication and providing crypto-processing.

A factory established key, as defined herein, refers to a key (e.g.,public, private, etc.) that is stored in the secure memory portion at atime during manufacturing of the printing device. The factoryestablished key may be obtained and/or generated within the factory oroutside of the factory.

FIG. 1 illustrates a schematic diagram of an exemplary architecture fora printing device 100 that can be used in the embodiments describedherein. The printing device 100 generally includes one or more printerfunctionality component(s) 105, a processor 110, an optional userinput/output (I/O) 115, a network I/O 120, a non-secure memory portion125, a storage 130, a secure memory portion 135, and an interconnect150. The printing device 100 can be in communication with one or moresecondary devices 180 through a network 140. Optionally, the printingdevice 100 can also be in communication with one or more hardwaresecurity module(s) (HSM(s)) 185.

The printing device 100 is generally representative of hardware aspectsof a variety of printing devices and subcomponents that can be used inthe issuance of a customized personalization document. Examples of theprinting device 100 can include a distributed issuance printer, acentral card issuance system, a desktop card printer, a desktopembosser, a passport system, a desktop laminator, a smart card reader,an input and/or output card hopper, etc. It will be appreciated that theexamples of the printing device 100 listed above are exemplary and othertypes of printing devices can also be included.

The printer functionality component 105 can perform one or more primaryfunctions of the printing device 100. For example, when the printingdevice 100 is a desktop card printer, the printer functionalitycomponent 105 can print a card. In another example, when the printingdevice 100 is a desktop embosser, the printer functionality component105 can emboss a card. In yet another example, when the printing device100 is a desktop laminator, the printer functionality component 105 canlaminate a card. Printer functionality component 105 can include amagnetic stripe station that can read and/or write data to a magneticstripe. Printer functionality component 105 can also include a chipprogramming station that can read data on a chip and/or write data to achip.

The processor 110 controls operation of the printing device 100including the printer functionality component 105, the network I/O 120and the optional user I/O 115. The processor 110 can retrieve andexecute programming data obtained by the network I/O 120 and/or theoptional user I/O 115 and stored in the non-secure memory portion 125,the secure memory portion 135 and/or the storage 130. The processor 110can also store, identify and use application data residing in thenon-secure memory portion 125.

The interconnect 150 is used to transmit programming instructions and/orapplication data between the processor 110, the printer functionalitycomponent 105, the optional user I/O 115, the network I/O 120, thenon-secure memory portion 125, the storage 130, and the secure memoryportion 135. The interconnect 150 can, for example, be one or morebusses or the like. The processor 110 can be a single processor,multiple processors, or a single processor having multiple processingcores.

The optional user I/O 115 can include a display 116 and/or an input 117,according to some embodiments. It is to be appreciated that the optionaluser I/O 115 can be one or more devices connected in communication withthe printing device 100 that is physically separate from the printingdevice 100. For example, the display 116 and the input 117 can beconnected in communication but be physically separate from the printingdevice 100. In some embodiments, the display 116 and input 117 can bephysically included with the printing device 100.

The display 116 can include any of a variety of display devices suitablefor displaying information to the user. Examples of devices suitable forthe display 116 include, but are not limited to, a cathode ray tube(CRT) monitor, a liquid crystal display (LCD) monitor, a light emittingdiode (LED) monitor, or the like.

The input 117 can include any of a variety of input devices or meanssuitable for receiving an input from the user. Examples of devicessuitable for the input 117 include, but are not limited to, a keyboard,a mouse, a trackball, a button, a voice command, a proximity sensor, anocular sensing device for determining an input based on eye movements(e.g., scrolling based on an eye movement), or the like. It is to beappreciated that combinations of the foregoing inputs 117 can beincluded as the input 117. In some embodiments, the input 117 can beintegrated with the display 116 such that both input and output areperformed by the display 116.

The network I/O 120 is configured to transmit and receive data to one ormore secondary device(s) 180 and optionally one or more hardwaresecurity module(s) (HSM(s)) 185 via the network 140. The network 140 mayalternatively be referred to as the communications network 140. Examplesof the network 140 can include, but are not limited to, a local areanetwork (LAN), a wide area network (WAN), the Internet, a wiredcommunication link, or the like. In some embodiments, the network I/O120 can transmit and receive data via the network 140 through a wirelessconnection using WiFi, Bluetooth, ZigBee or other similar wirelesscommunication protocols. In some embodiments, the printing device 100can transmit data via the network 140 through a cellular, 3G, 4G, orother wireless protocol. In some embodiments, the network I/O 120 cantransmit and receive data via a wire line, an optical fiber cable, aUniversal Serial Bus “USB” cable, or the like. It is to be appreciatedthat the network I/O 120 can communicate through the network 140 throughsuitable combinations of the preceding wired and wireless communicationmethods.

The non-secure memory portion 125 is generally included to berepresentative of a random access memory such as, but not limited to,Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM),or Flash. In some embodiments, the non-secure memory portion 125 can bea volatile memory. In some embodiments, the non-secure memory portion125 can be a non-volatile memory. In some embodiments, at least aportion of the memory can be virtual memory.

The storage 130 is generally included to be representative of anon-volatile memory such as, but not limited to, a hard disk drive, asolid state device, removable memory cards, optical storage, flashmemory devices, network attached storage (NAS), or connections tostorage area network (SAN) devices, or other similar devices that maystore non-volatile data. In some embodiments, the storage 130 is acomputer readable medium. In some embodiments, the storage 130 caninclude storage that is external to the printing device 100, such as ina cloud.

The secure memory portion 135 is generally included to be representativeof a memory storage device that is distinct and/or separate from thenon-secure memory portion 125 and the storage 130. In some embodiments,the secure memory portion 135 includes a processor. The secure memoryportion 135 can include for example, a secure crypto processor such as aTPM, a JAVA card, a memory device, etc. Suitable TPMs are sold byInfineon Technologies AG (Munich, Germany). In some embodiments, thesecure memory portion 135 includes the capabilities for the securegeneration of cryptographic keys. In some embodiments, private keys usedin the secure memory portion 135 are not accessible on a bus or toexternal programs and all encryption/decryption is done within thesecure memory portion 135. In some embodiments, the secure memoryportion 135 can be part of the same memory device as the non-securememory portion 125 and/or the storage 130, but isolated from thenon-secure memory portion 125 and/or the storage 130.

The secure memory portion 135 is configured to store the unique andsecure identity of the printing device 100 generated at the factoryand/or during manufacturing of the printing device 100. In particular,the secure memory portion 135 can store a plurality of private keys thathelp form the unique and secure identity of the printing device 100.Each of the private keys can be associated with a different operation ofthe printing device 100. In some embodiments, the printing device 100can be issued one or more certificates by a Central Authority (CA) suchas, for example, a manufacturing CA with any corresponding private keysstored in the secure memory portion 135.

In some embodiments, at the time of manufacturing the printing device100, a CA can generate four key pairs (e.g., a storage root key pair, anattestation key pair, printer identity key pair, and a payloadprotection key pair) and three certificates (e.g., an attestationcertificate, a printer identity certificate, and a payload protectioncertificate). The printer identity certificate and/or the payloadprotection certificate may contain a serial number unique to a componentof the printer.

The secure memory portion 135 can also store one or more custom printeridentities provided by a customer after manufacturing of the printingdevice 100. Each custom printer identity can include one or more customprivate keys that can supplement and/or override one or more privatekeys of the unique and secure identity.

In some embodiments, storing a plurality of private keys in the securememory portion refers to using a storage root key stored in the securememory portion 135 to protect the private keys, for example byencryption, that are then stored outside of the secure memory portion135. Private keys protected by the storage root key can be decrypted bypassing them back through the secure memory portion 135. Accordingly,the secure memory portion 135 is not required to store each of theprivate keys in their entirety and thus storage space within the securememory portion 135 can be reduced. Authorization of a particularoperation of the printing device 100 can be established using theparticular private key associated with the particular operation.

To illustrate, in one example, the secure memory portion 135 can includea public key to authenticate supplies (e.g., printer ribbon, printerink, etc.) to be used by the printer functionality component 105. When asupply is added to the printing device 100, the processor 110 can checkto see that the supply has an authorization request (e.g., a private keycertificate, a public key certificate, etc.). If the supply has anauthorization request, the processor 110 can use the particular publickey associated with adding supplies to the printing device 100 and usethe public key in conjunction with the authorization request to ensurethat the supply is authorized by the printing device 100. If the supplydoes not include an authorization request or if the authorizationrequest is not authorized by the public key, the processor 110 caninstruct the printer functionality component 105 not to operate untilthe supply is replaced and/or providing a notification/alarm to theuser.

In some embodiments, a unique private key can be generated forauthentication of the printing device 100 by a cloud server/service viathe network I/O 120, for example during initial registration orenrollment of the printing device 100 to the cloud server/service.

In some embodiments, a unique private key can be generated forauthentication of supplies (e.g., printer ribbon, printer ink, etc.) foruse by, for example, the printer functionality component 105 of theprinting device 100.

In some embodiments, a unique private key can be generated forauthentication of the printing device 100 by a printer client (e.g.,document design and/or issuance and/or management systems, etc.) usingprinter protocols.

In some embodiments, a unique private key can be generated forauthentication of the printing device by a print manager.

In some embodiments, a unique private key can be generated toauthenticate a firmware upgrade and/or downgrade. This can includeauthentication for, for example, major and minor releases and patches.

In some embodiments, a unique private key can be generated toauthenticate modular device security. This can include authenticationfor, for example, a multi-hopper, a touch screen, etc.

In some embodiments, a unique private key can be generated toauthenticate configuration settings of the printing device 100. This caninclude authentication for, for example, printer speed settings, printercolor parameter settings, etc. In some embodiments, a unique private keycan be generated to authenticate a source of print job(s), configurationdata, etc. This can include authentication for, for example, each clientsending a print job to the printing device 100.

In some embodiments, a unique private key can be generated to facilitatea secure boot of the printing device 100. This can includeauthentication, for example, every time the printing device 100 isturned on. Accordingly, the printing device 100 can be prevented fromrunning when configured, for example, with unauthorized software. Thecustomer can therefore be confident that the printing device 100 isrunning a safe and secure software (e.g., the manufacture providedsoftware).

For example, in a secure boot, each step of the booting process verifiesauthentication of the secure boot prior to moving onto the next step ofthe booting process.

In some embodiments, a cryptographic hash of a public key is programmedinto the processor 110 and an internal boot loader (e.g., a bootread-only memory (ROM)) of the processor 110 can refuse to transfercontrol to an external boot loader unless it is signed with a privatekey matching the cryptographic hash of the public key.

In some embodiments, the cryptographic hash of a public key (e.g., asecure boot public key) can be burned into a portion of the processor110. That is, the cryptographic hash of the public key can be programmedinto a fuse block of the processor 110 so that the cryptographic hash ofthe public key can be read but not reprogrammed. Accordingly, the amountof storage space in the processor required can be reduced as thecryptographic hash of the public key takes up less storage space thanthe public key. For example, in one embodiment, the secure boot publickey can have a storage space size of more than 2000 bits and thecryptographic hash of the secure boot key can have a storage space sizeof about 160 bits up to about 256 bits. In some embodiments, the portionof the processor 110 can be a P1010 security fuse processor availablefrom Freescale Semiconductor, Inc., which was acquired by NXP(Eindhoven, Netherlands).

In some embodiments, a private key (e.g., a security boot private key)can be stored offline and external of the printing device 100 (e.g., ata CA).

In some embodiments, a unique private key can be generated toauthenticate a measured boot of the printing device 100. In a measuredboot, authentication is not necessarily verified at each step of thebooting process before allowing the booting process to proceed to thenext step. Rather, in a measured boot, each step of the booting processis measured and stored (in some embodiments as a cryptographic hash) inthe secure memory portion 135 for later attestation. The measured bootmay continue to proceed through each step of the booting process even ifproper authentication has not been verified at one or more of theprevious steps of the booting process.

In one embodiment of a measured boot, at each step of the bootingprocess the external boot loader can initialize the secure memoryportion 135, measure a current state of the boot process (e.g., firmwareimage) of the external boot loader and a current state of the bootprocess (e.g., firmware image) of an operating system of the printingdevice 100, and send the results to the secure memory portion 135 forsecure attestation. The attestation identity key can be used by thesecure memory portion 135 to attest to the results sent to the securememory portion 135 for later verification.

In some embodiments, the external boot loader can be configured to storeone or more of: a public key for verification of a firmware signing key,a list of additional trusted firmware signing key pairs, and a blacklistof unsecure firmware images.

In some embodiments, a unique private key can be generated for SSL/TLSauthentication between the printing device 100 and one or more secondarydevices 180 such as, for example, a server. Also, in some embodiments, aunique private key for SSL/TLS authentication generated duringmanufacturing of the printing device can be replaced with a customerinitiated unique private key for SSL/TLS authentication. In otherembodiments, the unique private key for SSL/TLS authentication generatedduring manufacturing of the printing device can be used alongside with acustomer initiated unique private key for SSL/TLS authentication. Inthese embodiments, a TLS server can indicate which private key it wantsby specifying the Root of Trust supported as part of the TLS handshakebetween the TLS server and the printing device 100.

In some embodiments, when a client (e.g., a print driver, a managementtool, etc.) connects to the printing device 100, the connection can beperformed over/using TLS and the printing device 100 can use a printeridentity certificate to determine whether the client is authorized toconnect to the printing device 100.

In some embodiments, a manufacturer printer identity certificate issuedby a manufacturer CA during manufacturing of the printing device 100 canbe for TLS server authentication, TLS client authentication, and otherpurposes of the printing device 100. In these embodiments, themanufacturer printer identity certificate includes a TLS private key(s)that can be stored in the secure memory portion 135, while the TLSauthentication public key(s) can be certified by a CA. A customer mayadditionally configure a separate custom printer identity certificatethat can be, for example, self-signed by the printing device 100, orgenerated by a third party CA. The printing device 100 can be configuredto use the custom printer identity certificate instead of themanufacturer printer identity certificate. In some embodiments, even ifthe custom printer identity certificate is used instead of themanufacturer printer identity certificate, the manufacturer printeridentity certificate may remain saved in the secure memory portion 135.

In some embodiments, a unique private key can be generated to providedual authentication communication via the network I/O 120. This caninclude authentication, for example, to allow user(s) to log into theprinting device 100 and/or access the printing device 100.

In some embodiments, a unique private key can be generated toauthenticate key and certificate storage. This can includeauthentication for, for example, field overwrites of one or more privatekeys (e.g., authenticate a customer initiated private key).

In some embodiments, a unique private key can be generated toauthenticate file system encryption (e.g., whole files systemencryption, customer data only encryption, etc.). This can includeauthentication for providing file system encryption for, for example,log files, job history, etc.

In some embodiments, a unique private key can be generated to facilitatepayload encryption. Payload encryption can allow data to be encryptedprior to being transmitted over, for example, a TLS connection. In someembodiments, separate certificates with separately configured roots oftrust can be used for data sent to the printing device 100 and datatransmitted by the printing device 100.

In some embodiments, the printing device 100 can be issued a payloadprotection certificate that can be used by, for example, one or morebackend systems to encrypt data that is to be sent to the printingdevice 100. In some embodiments, the payload protection certificate mayalso be used by the printing device 100 to sign data originating fromthe printing device 100. A payload protection private key can be storedin the secure memory portion 135 and a payload protection public key canbe certified by a manufacturer CA during manufacturing of the printingdevice 100. A customer may additionally configure a separate custompayload protection certificate that can be, for example, self-signed bythe printing device 100, or generated by a third party CA. The printingdevice 100 can be configured to use the custom payload protectioncertificate instead of a manufacturer printer identity certificate. Insome embodiments, even if the custom payload protection certificate isused instead of the manufacturer payload protection certificate, themanufacturer payload protection certificate may remain saved in thesecure memory portion 135.

In some embodiments, two or more of the unique private keys can beestablished while the printing device 100 is still being manufactured(also known as an “at factory identity”).

Also, in some embodiments, one or more of the unique private keys canalso be established after manufacturing of the printing device and/oroutside of the factory (e.g., by the customer, a legacy printing device(e.g., a printing device without a secure memory portion)), or by a RMMserver component (also known as a “customer identity”). A private keyestablished outside of the factory is referred to herein as a customerinitiated private key. In some embodiments, the two or more uniqueprivate keys of the at factory identity can be part of one Root of Trustwhile the one or more customer initiated private keys can be part of oneor more different Root of Trusts. Accordingly, a customer can supplementthe at factory identity with their own customer identity, that isinstalled into the printing device 100. For example, encrypting and/ordecrypting operations of the printing device 100 can use a customerinitiated private key to protect customer specific data being encryptedor decrypted (e.g., name information, credit card number information,date of birth information, etc.). In some instances, a customerinitiated private key cannot replace and/or override a factoryestablished private key in order to protect specific operations (e.g.,maintenance operations) performed by the printing device 100. Forexample, a customer initiated private key may not be used, for example,for a firmware upgrade and/or downgrade operation, for a maintenancetask of the printing device 100, for creating and/or replacing the atfactory identity, etc.

In some embodiments, the printing device 100 can communicate with one ormore optional HSM(s) 185. Each of the optional HSM(s) 185 can includefor example, a secure crypto processor such as a TPM, a JAVA card, amemory device, etc. Each of the HSM(s) 185 can be configured to storeone or more certificates, one or more public keys, one or more privatekeys, an attestation identity key, and/or a storage root key associatedwith the printing device 100. In some embodiments, one or more of theHSM(s) 185 can work in conjunction with and/or in lieu of the securememory portion 135.

FIG. 2 illustrates a flowchart of one embodiment of a method 200 forproviding identity and security to the printing device 100 shown inFIG. 1. At 205, while at a factory, the processor 110 of the printingdevice 100 obtains a private key for use with a first operation of theprinting device 100. The first operation can be any of the operationsdiscussed above with respect to FIG. 1. For example, in one embodiment,the first operation can be TLS/SSL authentication. In some embodiments,the private key can be issued to the printing device 100 by an attributeauthority. At 210, during manufacturing of the printing device 100, theprocessor 110 loads the private key into the secure memory portion 135.

At 215, during manufacturing of the printing device 100, the processor110 of the printing device 100 obtains an additional private key for usewith an additional operation of the printing device 100. Similar to thefirst operation, the additional operation can be any of the operationsdiscussed above with respect to FIG. 1. For example, in one embodiment,the second operation can be payload encryption. In some embodiments, theadditional private key can also be issued to the printing device 100 bythe attribute authority. At 220, during manufacturing of the printingdevice 100, the processor 110 loads the additional private key into thesecure memory portion 135.

At 225, the processor 110 determines whether any other private keys areto be issued to establish the unique and secure identity of the printingdevice 100 during manufacturing of the printing device 100. If anotherprivate key is to be issued during manufacturing, the method 200proceeds back to 215. If no other private keys are to be issued duringmanufacturing, the method 200 proceeds to 230.

At 230, after the printing device 100 is manufactured and/or is outsideof the factory, the processor 110 waits for a customer to supplement theunique and secure identity of the printing device 100. At 235, theprocessor 110 obtains a customer initiated private key for use with anoperation of the printing device 100. The operation can be any of theoperations discussed above with respect to FIG. 1. In some embodiments,the customer initiated private key is issued to the printing device 100by an attribute authority.

In some embodiments, the attribute authority can be the same attributeauthority that issued the first private key and the additional privatekey(s). In other embodiments, the attribute authority can be a differentattribute authority. Also, in some embodiments, the customer initiatedprivate key can be part of a different Root of Trust than the Root ofTrust for the first private key and the additional private key(s).Customer initiated private key(s) that are part of a different Root ofTrust than the private keys loaded into the secure memory portion 135 atduring manufacturing allows a customer to protect and control customerspecific data.

At 240, the processor 110 loads the customer initiated private key intothe secure memory portion 135. In some embodiments when the customerinitiated private key is for an operation that the secure memory portion135 has already stored a private key, the processor 110 replaces thepreviously stored private key with the customer initiated private key.In other embodiments, the processor 110 stores both the previouslystored private key with the customer initiated private key in the securememory portion 135. The process 200 then returns to 230.

FIG. 3 illustrates a flowchart of one embodiment of a method 300 forperforming an operation of the printing device 100 shown in FIG. 1. Theoperation can be any of the operations discussed above with respect toFIG. 1. At 305, the printing device waits to receive data that requiresthe printing device 100 to perform an operation and an authorizationrequest (e.g., a public key certificate, a private key certificate,etc.) for the operation. The data and authorization request may bereceived via the network I/O 120 and/or the optional user I/O 115. Oncedata requiring the printing device 100 to perform an operation and anauthorization request is received, the method 300 then proceeds to 310.

At 310, a key (e.g., a private key, a public key, etc.) associated withthe operation to be performed is identified from one or more keys storedin the secure memory portion 135. In some embodiments, the processor 110can identify the key to be used. In other embodiments, a processorwithin the secure memory portion 135 can identify the key to be used. Itwill be appreciated that in other embodiments, any other processorexternal or internal to the printing device 100 could also identify thekey to be used. The method 300 then proceeds to 315.

At 315 the authorization request is validated using the authorizationrequest and the identified key to determine whether the operation isauthorized. In some embodiments, the processor 110 can validate theauthorization request. In other embodiments, a processor within thesecure memory portion 135 can validate the authorization request. Itwill be appreciated that in other embodiments, any other processorexternal or internal to the printing device 100 can also validate theauthorization request. If it is determined that the operation isauthorized based on the authorization request and the identified key at320, the method 300 proceeds to 325. Otherwise, the method 300 proceedsto 330.

At 325, the printing device 100 performs the operation and the method300 returns to 305. At 330, the processor 110 cancels the operation andcan optionally provide a notification/alarm to the user. The method 300then returns to 305.

FIG. 4 illustrates a flowchart of a method 400 for generating a uniqueand secure identity of a printing device during manufacturing of theprinting device. The method begins at 405 whereby a unique printingdevice serial number from the printing device being manufactured isread. The unique printing device serial number can include, for example,the serial number for the entire printing device, the serial number forone or more subcomponents of the printing device (e.g., the serialnumber of a TPM, the serial number of a FPGA, etc.), etc. In someembodiments, a client reads the unique printing device serial numberfrom the printing device being manufactured.

At 410, the unique printing device serial number is sent to a CA. Insome embodiments, a client sends the unique printing device serialnumber to the CA.

At 415, the CA generates a certificate unique to the printing devicethat is based on and includes the unique printing device serial number.The private key can be associated with any one of a plurality ofdifferent operations of the printing device. By using the uniqueprinting device serial number to generate the certificate, an identityis generated for the printing device being manufactured that is bothunique and secure.

In some embodiments, a certificate can be generated for each of thefollowing operations: authentication of the printing device by a cloudserver/service; authentication of supplies for use by the printingdevice; authentication of the printing device by a printer client (e.g.,document design and/or issuance and/or management systems, etc.) usingprinter protocols; authenticate signed firmware for upgrade and/ordowngrade; authenticate a print manager; authenticate modular devicesecurity; authenticate configuration settings of the printing device;authenticate source of print jobs, configuration data, etc.;authenticate secure and/or measured boot of the printing device; SecureSockets Layer/Transport Layer Security (SSL/TLS) authentication;authenticate modular device security (a multi-hopper, a touch screen,etc.); provide dual authentication; authenticate key and certificatestorage; authenticate file system encryption (e.g., whole files systemencryption, customer data only encryption, etc.); authenticate payloadencryption; etc.

At 420, the CA sends the certificate to the printing device. In someembodiments, the CA can send the certificate to the printing devicedirectly. In other embodiments, the CA can send the certificate to theclient and the client then forwards the certificate over to the printingdevice.

At 425, the printing device stores a private key associated with thecertificate into a secure memory portion of the printing device whilethe printing device is being manufactured. This provides assurance tothe user that the printing device is not configured with unauthorizedfirmware, hardware, and/or software. Also, this can prevent the printingdevice from running if it is configured with unauthorized firmware,hardware and/or software. This can also prevent network attacks thatwould allow an external device/software to monitor customerpersonalization data.

FIG. 5 illustrates one embodiment of a card printer 5 that can be usedwith the embodiments described herein. The card printer includes amodular print engine 10 that is detachably and removably mounted on topof a lower module 12. The card printer 5 is configured to personalize,for example, plastic cards such as financial cards including credit anddebit cards, identification cards, driver's licenses, and otherpersonalized plastic cards.

The modular print engine 10 includes a housing 50 having a front end 52,a rear end 54, a top 56 and a bottom 58. A main card input 60 is locatedat the front end 52 of the housing 50 through which plastic cards to beprocessed by the modular print engine 10 and/or by the lower module 12(i.e. processed by the card printer 5) are input. In some embodiments,the card input 60 can also form a card output through which processedcards can be output from the modular print engine 10. In otherembodiments, a card output that is separate from the card input 60, butalso located at the front end 52 like the card input 60, can be providedthrough which processed cards can be output from the modular printengine 10. A card input hopper 62 can be mounted at the front end 52 ofthe housing 50 that is in communication with the card input 60. Inembodiments where a card output is also located at the front end 52, acard output hopper 66 can also be mounted at the front end 52 of thehousing 50 that is in communication with the card output for receivingfinished processed cards.

A main or first card travel path 68 extends through the housing 50 fromthe input 60. In the illustrated example, the card travel path 68extends substantially horizontally through the housing 50 substantiallyparallel to the bottom 58. Cards are transported along the card travelpath 68 by a card transport mechanism, such as sets of rollers 70. Aprint engine 74 is disposed along the card travel path 68 that isconfigured to print on a card disposed on the card travel path 68. Theprint engine 74 can be configured to perform retransfer printing, directto card printing, ink jet printing, laser marking, laser engraving, andany other type of printing performed on cards.

With continued reference to FIG. 5, a second card travel path 76 canextend upwardly from a card reorienting mechanism 72. In one embodiment,the second card travel path 76 extends substantially vertically upwardfrom the card reorienting mechanism 72. Cards are transported along thecard travel path 76 by a card transport mechanism, such as sets ofrollers 78.

A removable option module 80 is disposed along the second card travelpath 76 and above the first card travel path 68. The removable optionmodule 80 includes at least one card processing mechanism that isconfigured to perform a processing operation on a plastic card. Theremovable option module 80 is one of a plurality of removable optionmodules 80 that can be installed one at a time in the modular printengine 10 to permit changes to the functionality of the modular printengine 10. Each option module 80 is configured to be individually andseparately removably installed in the housing 50 along the second cardtravel path 76 and above the first card travel path 68, and each optionmodule 80 is configured to perform a different processing operation on aplastic card received thereby. One option module 80 can be removed andreplaced with a different option module 80 to change the functionalityof the modular print engine 10. In one embodiment, the option module 80can be a magnetic stripe station that can read data on a magnetic stripeof a card and/or write data onto the magnetic stripe. In anotherembodiment, the option module 80 can be a chip programming station thatcan read data on a chip of a card and/or write data to the chip.

The lower module 12 generally includes a lower module housing 14illustrated in dashed lines with a front end 16, a rear end 18 oppositethe front end 16, a top 20, and a bottom 22 opposite the top 20. A maincard transport path 24 is defined in the housing 14 along which aplastic card is transported generally in a horizontal direction orgenerally parallel to the top 20 and the bottom 22. A slot 26 is definedin the top 20 of the housing 14 through which a card can be input intothe housing 14 from the modular print engine 10 and, in someembodiments, output from the housing 14 back into the modular printengine 10. A secondary card transport path 28 leads from the slot 26 toa card reorienting mechanism 30 that is disposed adjacent to the rearend 18 of the housing 14. In one embodiment, the secondary cardtransport path 28 can be generally vertical or perpendicular to the maincard transport path 24 which can be generally horizontal.

In operation of the lower module 12, a card enters the lower module 12from the modular print engine 10 through the slot 26. The card istransported along the secondary card transport path 28 and into the cardreorienting mechanism 30 which is then rotated to bring the card in linewith the main card transport path 24. The card is then directed alongthe main card transport path 24 to one or more card processingmechanism(s) 36 which perform the one or more processing operations onthe card. Examples of card processing mechanisms 36 that can be usedinclude, but are not limited to, a card embosser or a card laminator.The lower module 12 can also include an output 38 at the end of thetransport path 24 through which a card can be output from the lowermodule 12 after processing by the processing mechanism(s) 36. In someembodiments, the lower module 12 may also include a card de-bowingmechanism (not shown) that is used to eliminate a bow that may occur onthe card as a result of processing by the processing mechanism(s) 36.

Further details of a card printer are described in U. S. 2016/0300128which is incorporated by reference in its entirety. An example ofretransfer printing is described in U.S. Pat. No. 6,894,710 the entirecontents of which are incorporated herein by reference. Examples ofsuitable card reorienting mechanisms are described in U.S.

2013/0220984 and U.S. Pat. No. 7,398,972 each of which is incorporatedherein by reference in its entirety. An example of a suitable de-bowingmechanism that can be used is described in US 2014/0345787 the entirecontents of which are incorporated herein by reference.

Aspects described herein can be embodied as a system, method, orcomputer readable medium. In some embodiments, the aspects described canbe implemented in hardware, software (including firmware or the like),or combinations thereof. Some aspects can be implemented in a computerreadable medium, including computer readable instructions for executionby a processor. Any combination of one or more computer readablemedium(s) can be used.

The computer readable medium can include a computer readable signalmedium and/or a computer readable storage medium. A computer readablestorage medium can include any tangible medium capable of storing acomputer program for use by a programmable processor to performfunctions described herein by operating on input data and generating anoutput. A computer program is a set of instructions that can be used,directly or indirectly, in a computer system to perform a certainfunction or determine a certain result. Examples of computer readablestorage media include, but are not limited to, a floppy disk; a harddisk; a random access memory (RAM); a read-only memory (ROM); asemiconductor memory device such as, but not limited to, an erasableprogrammable read-only memory (EPROM), an electrically erasableprogrammable read-only memory (EEPROM), Flash memory, or the like; aportable compact disk read-only memory (CD-ROM); an optical storagedevice; a magnetic storage device; other similar device; or suitablecombinations of the foregoing. A computer readable signal medium caninclude a propagated data signal having computer readable instructions.Examples of propagated signals include, but are not limited to, anoptical propagated signal, an electro-magnetic propagated signal, or thelike. A computer readable signal medium can include any computerreadable medium that is not a computer readable storage medium that canpropagate a computer program for use by a programmable processor toperform functions described herein by operating on input data andgenerating an output.

Some embodiments can be provided through a cloud-computinginfrastructure. Cloud computing generally includes the provision ofscalable computing resources as a service over a network (e.g., theInternet or the like).

Although a number of methods and systems are described herein, it iscontemplated that a single system or method can include more than one ofthe above discussed subject matter. Accordingly, multiple of the abovesystems and methods can be used together in a single system or method.

Aspects

It is to be appreciated that any of aspects 1-5, 6-11, 12-19, 20-22 and23-25 can be combined.

Aspect 1. A printing device comprising:

a housing;

a card input in the housing;

a card travel path that extends through the housing from the card input;

a print engine disposed along the card travel path; and

a secure memory portion that stores a unique and secure identity of theprinting device including at least one factory established keyassociated with an operation performed by the printing device.

Aspect 2. The printing device of aspect 1, wherein the at least onefactory established key is a private key.Aspect 3. The printing device of either one of aspects 1 or 2, furthercomprising at least one of:

a magnetic stripe station that reads and/or writes data on a magneticstripe of a card; and

a chip programming station that reads and/or writes data on a chip of acard.

Aspect 4. The printing device of any one of aspects 1-3, wherein the atleast one factory established key is a storage root key used to protectdata stored outside of the secure memory portion.Aspect 5. The printing device of any one of aspects 1-4, wherein theprint engine is configured to perform at least one of retransferprinting, direct to card printing, ink jet printing, laser marking, andlaser engraving on a card.Aspect 6. A printing device comprising:

a printer functionality component that performs a physical action on acustomized personalization document;

a network input/output that transmits and receives data outside theprinting device;

a processor that controls operation of the printer functionalitycomponent; and

a secure memory portion that stores a unique and secure identity of theprinting device including at least one factory established keyassociated with a secure boot operation.

Aspect 7. The printing device of aspect 6, further comprising a secondprinter functionality component that performs a second physical actionon the customized personalization document, wherein the second physicalaction is different than the first physical action.Aspect 8. The printing device of either one of aspect 6 or 7, whereinthe at least one factory established key is a public key associated withthe secure boot operation.Aspect 9. The printing device of any one of aspects 6-8, wherein thecustomized personalization document is a financial or identificationcard and the printer functionality component includes a print engineadapted to print custom specific information onto the financial oridentification card.Aspect 10. The printing device of any one of aspects 6-9, wherein thesecure memory portion stores a public key associated with at least oneof a firmware modification operation and a supplies authenticationoperation.Aspect 11. The printing device of any one of aspects 6-10, wherein theprocessor includes a public key burned into a memory portion of theprocessor.Aspect 12. A method for establishing a unique and secure identity of aprinting device, the method comprising:

obtaining a first private key for use with a first operation of theprinting device;

obtaining a second private key for use with a second operation of theprinting device;

loading the first private key into a secure memory portion of theprinting device during manufacturing of the printing device; and

loading the second private key into the secure memory portion of theprinting device during manufacturing of the printing device.

Aspect 13. The method of aspect 12, further comprising burning a hash ofa third public key into a processor of the printing device duringmanufacturing of the printing device.Aspect 14. The method of either one of aspect 12 or 13, furthercomprising storing a storage root key into the secure memory portion ofthe printing device during manufacturing of the printing device.Aspect 15. The method of aspect 14, wherein loading the first privatekey into the secure memory portion includes:

-   -   storing at least a portion of the first private key in the        secure memory portion,    -   encrypting the first private key using the storage root key, and    -   sending the encrypted first private key for storage external to        the secure memory portion, and

wherein loading the second private key into the secure memory portionincludes:

-   -   storing at least a portion of the second private key in the        secure memory portion,    -   encrypting the second private key using the storage root key,        and    -   sending the encrypted second private key for storage external to        the secure memory portion.        Aspect 16. The method of any one of aspects 12-15, wherein        loading the first private key into the secure memory portion        includes storing an entire portion of the first private key into        the secure memory portion, and

wherein loading the second private key into the secure memory portionincludes storing an entire portion of the second private key into thesecure memory portion.

Aspect 17. The method of any one of aspects 12-16, further comprisinggenerating an attestation identity key and storing the attestation keyinto the secure memory portion of the printing device.Aspect 18. The method of any one of aspects 12-17, wherein the printingdevice is a card printer.Aspect 19. The method of any one of aspects 12-18, further comprisinggenerating an attestation identity key and storing the attestation keyinto the secure memory portion of the printing device.Aspect 20. A method of generating a unique and secure identity of aprinting device during manufacturing of the printing device, the methodcomprising:

reading a unique printing device serial number associated with acomponent of the printing device,

sending the unique printing device serial number to a certificateauthority,

receiving from the certification authority a certificate that is uniqueto the printing device containing the unique printing device serialnumber, and

loading the certificate to the printing device.

Aspect 21. The method of aspect 20, wherein the unique printing deviceserial number is placed in a common name field of the certificate.Aspect 22. The method of either one of aspect 20 or 21, furthercomprising storing a key associated with the certificate into a securememory portion of the printing device while the printing device is beingmanufactured.Aspect 23. A method for performing an operation of a printing device,the method comprising:

a processor of the printing device receiving, from an external secondarydevice, data and an authorization request for validating authorizationfor the printing device to perform the operation;

retrieving a key corresponding to the operation stored in a securememory portion of the printing device;

the processor determining whether the operation is authorized using theauthorization request and the retrieved key;

the printing device performing the operation when the operation isauthorized; and

the printing device performing a physical action on a customizedpersonalization document.

Aspect 24. The method of aspect 23, wherein the operation is at leastone of a printing device authentication operation, a suppliesauthentication operation, an authenticating a connection to a serveroperation, an encrypting payload data operation, a firmware modificationoperation; a print manager authentication operation; a modular devicesecurity authentication operation; a printing device configurationsetting authentication operation; a print job source authenticationoperation; a configuration data source authentication operation; asecure boot operation; a Secure Sockets Layer/Transport Layer Security(SSL/TLS) authentication operation; a dual authentication operation; aprivate key storage authentication operation; and a file systemencryption authentication operation.Aspect 25. The method of either one of aspect 23 or 24, wherein theauthorization request is a public key and the key is a private key.

The invention may be embodied in other forms without departing from thespirit or essential characteristics thereof. The embodiments disclosedin this application are to be considered in all respects as illustrativeand not limitative. The scope of the invention is indicated by theappended claims rather than by the foregoing description; and allchanges which come within the meaning and range of equivalency of theclaims are intended to be embraced therein.

1-14. (canceled)
 15. A method of generating a unique and secure identityof a printing device during manufacturing of the printing device, themethod comprising: reading a unique printing device serial numberassociated with a component of the printing device, sending the uniqueprinting device serial number to a certificate authority, receiving fromthe certification authority a certificate that is unique to the printingdevice containing the unique printing device serial number, and loadingthe certificate to the printing device.
 16. The method of claim 15,wherein the unique printing device serial number is placed in a commonname field of the certificate.
 17. The method of claim 15, furthercomprising storing a key associated with the certificate into a securememory portion of the printing device while the printing device is beingmanufactured. 18-20. (canceled)